cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
983
Views
0
Helpful
7
Replies

802.1x Method Status List Empty

DM812
Level 1
Level 1

We're seeing an issue on our 9200 series switches where we get the message "Method Status List Empty" when trying to authenticate devices either for the first time, or when a switch is restarted. To resolve, "clear authentication sessions" is required for the devices to then go through authentication again which works but is not a solution, before running this a device will sit as "UNKNOWN Unauth". I did see a bug for this but that is relating to an older IOS version well before ours, anyone have any ideas on how to resolve this?

7 Replies 7

marce1000
VIP
VIP

 

 - Generally speaking , try latest advisory release for the platform ; if a bug remains persistent and not mentioned as such in bug search then you need to report back to TAC,

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

In addition to what @marce1000 said, when asking a question on these forums, it's also generally a good idea to tell us what version of software you're on, and some configurations that relate to the issue. e.g. you could send us the config output relating to the interface (show derived-config int x/y/z) and your IBNS 1.0/2.0 config.  NAC config does tend to sprawl all over the place.

Have you followed the general advice given in Wired Prescriptive Guide?

Share the config of port

MHM

DM812
Level 1
Level 1

See example port config below, this only affects a chunk of ports at a time and affects both data and voice devices...

The below config is also set on a large number of switches and is working fine.

IOS: 17.6.3

Port Config:

interface GigabitEthernet1/0/1
switchport access vlan 5
switchport mode access
switchport voice vlan 10
authentication control-direction in
authentication event server dead action authorize vlan 5
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 65535
authentication timer restart 10800
authentication violation replace
mab
trust device cisco-phone
dot1x pae authenticator
dot1x timeout quiet-period 30
dot1x timeout tx-period 10
auto qos voip cisco-phone
spanning-tree portfast
service-policy input AutoQos-4.0-CiscoPhone-Input-Policy
service-policy output AutoQos-4.0-Output-Policy

Global Config:

dot1x system-auth-control
!
aaa group server radius Servers
server name Server1
!
aaa authentication dot1x default group Servers
aaa authorization network default group Servers
radius-server vsa send authentication
!
radius server Server1
address ipv4 192.168.5.10 auth-port 1812 acct-port 1813
key [key]
timeout 2
!
aaa server radius dynamic-author
client 192.168.5.10 server-key [key]
port 3799
!
aaa accounting dot1x default start-stop group Servers

@DM812 - I think the config looks good. It appears you're using Aruba Clearpass as your RADIUS server? Do you see the Access-Request come to the server on the initial endpoint connection attempt (where the switch then puts the session in Method Status List Empty)?  Curious to know if any RADIUS traffic goes to the server, and what the server responds with.

I can see the request on our RADIUS server and accepts the device and returns as accepted, authenticated, and sends the correct VLAN, but when looking on the switch it fails the auth.

show aaa server <<- share this 

thanks 

MHM